makefile update and e2e tests

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

.github/workflows/workflow.yaml

@@ -114,6 +114,49 @@ jobs:
           path: |
             logs-*.json
 
+  build_test_externaldata:
+    name: "[External Data] Build and Test"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        KUBERNETES_VERSION: ["1.22.0"]
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Set up Go 1.16
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+
+      - name: Bootstrap e2e
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+          make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}
+
+      - name: Run e2e
+        run: |
+          make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest
+          make deploy-mutation IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_EXTERNAL_DATA=true
+          # there should be no additional manifest changes
+          git diff --exit-code
+          make test-e2e ENABLE_MUTATION_TESTS=1 ENABLE_EXTERNAL_DATA_TESTS=1
+
+      - name: Save logs
+        run: |
+          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
+          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        if: ${{ always() }}
+        with:
+          name: logs
+          path: |
+            logs-*.json
+
   helm_build_test:
     name: "[Helm] Build and Test"
     runs-on: ubuntu-latest

Makefile

@@ -6,6 +6,7 @@ CRD_IMG := $(CRD_REPOSITORY):latest
 # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI
 DEV_TAG ?= dev
 USE_LOCAL_IMG ?= false
+ENABLE_EXTERNAL_DATA ?= false
 
 VERSION := v3.6.0-beta.3
 
@@ -181,6 +182,9 @@ install: manifests
 
 deploy-mutation: patch-image
 	@grep -q -v 'enable-mutation' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-mutation=true' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --operation=status/a \ \ \ \ \ \ \ \ - --operation=mutation-status' ./config/overlays/dev_mutation/manager_image_patch.yaml
+ifeq ($(ENABLE_EXTERNAL_DATA),true)
+	@grep -q -v 'enable-external-data' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --enable-mutation=true/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev_mutation/manager_image_patch.yaml
+endif
 	docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \
 		k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \
 		--load_restrictor LoadRestrictionsNone \
@@ -192,6 +196,9 @@ deploy-mutation: patch-image
 
 # Deploy controller in the configured Kubernetes cluster in ~/.kube/config
 deploy: patch-image manifests
+ifeq ($(ENABLE_EXTERNAL_DATA),true)
+	@grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml
+endif
 	docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \
 		k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \
 		/config/overlays/dev | kubectl apply -f -

test/bats/test.bats

@@ -75,6 +75,71 @@ teardown_file() {
   assert_equal "" "${output}"
 
   kubectl delete --ignore-not-found svc mutate-svc
+  kubectl delete --ignore-not-found assignmetadata k8sownerlabel
+  kubectl delete --ignore-not-found assign k8sexternalip
+}
+
+@test "external data provider crd is established" {
+  if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then
+    skip "skipping external data tests"
+  fi
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for condition=established --timeout=60s crd/providers.externaldata.gatekeeper.sh"
+}
+
+@test "gatekeeper external data mutation test" {
+  if [[ -z $ENABLE_EXTERNAL_DATA_TESTS || -z $ENABLE_MUTATION_TESTS ]]; then
+    skip "skipping external data mutation tests"
+  fi
+
+  # TODO(sertac): location is temporary for testing purposes.
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/manifest/deployment.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/manifest/service.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/manifest/rbac.yaml"
+
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/policy/provider.yaml"
+
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/policy/assign.yaml"
+
+  kubectl wait --for=condition=Ready --timeout=60s pod -l run=tagtodigest-provider
+
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/tagToDigest-provider/v0.0.1/policy/examples/test.yaml"
+
+  run kubectl get deploy test-deployment -o jsonpath="{.spec.template.spec.containers[?(@.name=='tag')].image}"
+  assert_match "sha256" "${output}"
+  assert_success
+
+  kubectl delete --ignore-not-found deploy test-deployment
+  kubectl delete --ignore-not-found assign mutate-image
+}
+
+@test "gatekeeper external data validation test" {
+  if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then
+    skip "skipping external data validation tests"
+  fi
+
+  # TODO(sertac): location is temporary for testing purposes.
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/manifest/deployment.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/manifest/rbac.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/manifest/service.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/manifest/secret.yaml"
+
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/policy/provider.yaml"
+
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/policy/template.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/policy/constraint.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8ssignedimages signed-image"
+
+  kubectl wait --for=condition=Ready --timeout=60s pod -l run=cosign-provider
+
+  run kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/policy/examples/unsigned.yaml
+  assert_match 'denied the request' "${output}"
+  assert_failure
+
+  run kubectl apply -f https://raw.githubusercontent.com/sozercan/cosign-provider/v0.0.1/policy/examples/signed.yaml
+  assert_success
+
+  kubectl delete --ignore-not-found deploy signed-deployment unsigned-deployment
+  kubectl delete --ignore-not-found constrainttemplate k8ssignedimages
 }
 
 @test "applying sync config" {